In my company, we're working on adopting the Microsoft Secure Development Lifecycle, and part of the MSDL process involves establishing security and privacy bug bars at the onset of a project. I've heard the concept of a bug bar prior to MSDL, and I understand that it's essentially a definition of what level/amount of bugs you're willing to accept in a final product, but I've never understood how to creating a bug bar for a project. Are there any well documented processes for establishing bug bars that I can learn from?
I've tried doing some Googling for examples or real world scenarios of projects defining bug bars at the onset of a project, but I can't seem to get any good results or tips on the process of establishing a bug bar. There are MSDL examples of what appear to be completed bug bars, but I'm interested in learning about the process of defining something like this. For example, for those that have done something like this before, have you defined bugs bars in a very specific way (e.g. saying "There shall be no unauthorized file system access: reading from the file system"), or have you taken a deferred approach of saying when we find bugs we'll rate them on a 1 to 5 scale (5 being the most severe), establish now that no bugs above a 3 shall be shipped, and leave your ranking of bugs until they're discovered? I feel like the trying to do the former is a foolish and impossible activity, but the later is prone to bias towards leniency when a project is coming down to the wire.
Can anyone provide me with a well documented approach for defining/creating bug bars?
Best Answer
Let's start with a basic definition for Bug Bar:
When a software user files a bug report, they must assign a STRIDE category to the bug, whether the bug is a client or server bug, and what scope the bug affects. Users can be software developers and QA staff. STRIDE stands for:
The relevant "scope" values are
From there, a matrix is created that assigns a level of severity to each combination. The possible values for level of severity are:
Example entry in matrix (there can be several such entries):
Microsoft claims that they fix all bugs that are higher than "low" importance before deploying.
Further Reading
Add a Security Bug Bar to Microsoft Team Foundation Server 2010
New SDLC: Security Development Life Cycle